Share via

Hyper-V specific Event logs not being forwarded to Windows Event Collector

Richard Gibbons 21 Reputation points
2025-09-16T17:04:28.8166667+00:00

I am trying to configure my Hyper-V hypervisor to send all desired logs (see .xml below) to a Windows Event Collector. All the typical logs are moving as expected, but the Hyper-V specific logs are not. They can be viewed in the Event Viewer under Applications and Services Logs > Microsoft > Windows > Hyper-V-*.

Below is the Source computer initiated .xml specifying logs to be pulled with the Hyper-V specific ones called out near the bottom.

<QueryList>

<Query Id="0" Path="Security">

<Select Path="Security">*</Select>

<Suppress Path="Security">*[System[EventID=4688]] and *[EventData[Data[@Name='SubjectLogonId'] = '0x3e7' and (

Data[@Name='NewProcessName'] = 'C:\Windows\System32\SearchFilterHost.exe'

or Data[@Name='NewProcessName'] = 'C:\Windows\SysWOW64\SearchProtocolHost.exe'

or Data[@Name='NewProcessName'] = 'C:\Windows\System32\SearchProtocolHost.exe'

or Data[@Name='NewProcessName'] = 'C:\Windows\System32\backgroundTaskHost.exe'

or Data[@Name='NewProcessName'] = 'C:\Windows\System32\conhost.exe'

or Data[@Name='NewProcessName'] = 'C:\Windows\System32\wbem\WmiPrvSE.exe'

or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskhost.exe'

or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskeng.exe'

or Data[@Name='NewProcessName'] = 'C:\Windows\System32\svchost.exe'

or Data[@Name='NewProcessName'] = 'C:\Windows\System32\sc.exe'

or Data[@Name='NewProcessName'] = 'C:\Windows\System32\rundll32.exe'

or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskhostex.exe'

)]]</Suppress>

<Suppress Path="Security">(*[System[EventID=4769]] and *[EventData[Data[@Name='ServiceName'] = 'krbtgt']])

or (*[System[EventID=4770]])

or (*[System[EventID=4624]] and *[EventData[Data[@Name='LogonType'] = '3']])

or (*[System[EventID=4634]] and *[EventData[Data[@Name='LogonType'] = '3']])

</Suppress>

</Query>

<Query Id="1" Path="Application">

<Select Path="Application">*</Select>

</Query>

<Query Id="2" Path="System">

<Select Path="System">*</Select>

</Query>

<Query Id="3" Path="Microsoft-Windows-Sysmon/Operational">

<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>

</Query>

<Query Id="4" Path="Microsoft-Windows-PowerShell/Operational">

<Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>

</Query>

<Query Id="5" Path="Windows PowerShell">

<Select Path="Windows PowerShell">*[System[EventID=400]] or *[System[EventID=600]] or *[System[EventID=800]]</Select>

</Query>

<Query Id="6" Path="Microsoft-Windows-WMI-Activity/Operational">

<Select Path="Microsoft-Windows-WMI-Activity/Operational">*[System[EventID=5857]] or *[System[EventID=5858]] or *[System[EventID=5859]] or *[System[EventID=5860]] or *[System[EventID=5861]]</Select>

</Query>

<Query Id="7" Path="Microsoft-Windows-TaskScheduler/Operational">

<Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select>

</Query>

<Query Id="8" Path="Microsoft-Windows-TerminalServices-RDPClient/Operational">

<Select Path="Microsoft-Windows-TerminalServices-RDPClient/Operational">*</Select>

</Query>

<Query Id="9" Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Admin">

<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Admin">*</Select>

</Query>

<Query Id="10" Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">

<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">*</Select>

</Query>

<Query Id="11" Path="Microsoft-Windows-GroupPolicy/Operational">

<Select Path="Microsoft-Windows-GroupPolicy/Operational">*</Select>

</Query>

<Query Id="12" Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">

<Select Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">*[System[EventID=2003]] or *[System[EventID=2004]] or *[System[EventID=2102]]</Select>

</Query>

<Query Id="13" Path="Microsoft-Windows-AppLocker/EXE and DLL">

<Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select>

<Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select>

</Query>

<Query Id="14" Path="Microsoft-Windows-AppLocker/Packaged app-Execution">

<Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select>

</Query>

<Query Id="15" Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">

<Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select>

</Query>

<Query Id="16" Path="Microsoft-Windows-SmartCard-Audit/Authentication">

<Select Path="Microsoft-Windows-SmartCard-Audit/Authentication">*</Select>

</Query>

<Query Id="17" Path="Microsoft-Windows-SMBClient/Operational">

<!-- get all UNC/mapped drive successful connection -->

<Select Path="Microsoft-Windows-SMBClient/Operational">*[System[(EventID=30622 or EventID=30624)]]</Select>

</Query>

<Query Id="20" Path="Microsoft-Windows-Hyper-V-Compute/Operational">

<Select Path="Microsoft-Windows-Hyper-V-Compute/Operational">*</Select>

</Query>

<Query Id="21" Path="Microsoft-Windows-Hyper-V-Config/Operational">

<Select Path="Microsoft-Windows-Hyper-V-Config/Operational">*</Select>

</Query>

<Query Id="22" Path="Microsoft-Windows-Hyper-V-Guest-Drivers/Operational">

<Select Path="Microsoft-Windows-Hyper-V-Guest-Drivers/Operational">*</Select>

</Query>

<Query Id="23" Path="Microsoft-Windows-Hyper-V-Hierarchical-NIC-Switch/Operational">

<Select Path="Microsoft-Windows-Hyper-V-Hierarchical-NIC-Switch/Operational">*</Select>

</Query>

<Query Id="24" Path="Microsoft-Windows-Hyper-V-Hypervisor/Admin">

<Select Path="Microsoft-Windows-Hyper-V-Hypervisor/Admin">*</Select>

<Select Path="Microsoft-Windows-Hyper-V-Hypervisor/Operational">*</Select>

</Query>

<Query Id="26" Path="Microsoft-Windows-Hyper-V-StorageVSP/Admin">

<Select Path="Microsoft-Windows-Hyper-V-StorageVSP/Admin">*</Select>

</Query>

<Query Id="27" Path="Microsoft-Windows-Hyper-V-VID/Admin">

<Select Path="Microsoft-Windows-Hyper-V-VID/Admin">*</Select>

</Query>

<Query Id="28" Path="Microsoft-Windows-Hyper-V-VMMS/Admin">

<Select Path="Microsoft-Windows-Hyper-V-VMMS/Admin">*</Select>

<Select Path="Microsoft-Windows-Hyper-V-VMMS/Networking">*</Select>

<Select Path="Microsoft-Windows-Hyper-V-VMMS/Operational">*</Select>

<Select Path="Microsoft-Windows-Hyper-V-VMMS/Storage">*</Select>

</Query>

<Query Id="32" Path="Microsoft-Windows-Hyper-V-VMSP/Admin">

<Select Path="Microsoft-Windows-Hyper-V-VMSP/Admin">*</Select>

</Query>

<Query Id="33" Path="Microsoft-Windows-Hyper-V-VmSwitch/Operational">

<Select Path="Microsoft-Windows-Hyper-V-VmSwitch/Operational">*</Select>

</Query>

<Query Id="34" Path="Microsoft-Windows-Hyper-V-Worker/Admin">

<Select Path="Microsoft-Windows-Hyper-V-Worker/Admin">*</Select>

<Select Path="Microsoft-Windows-Hyper-V-Worker/Operational">*</Select>

</Query>

<Query Id="41" Path="Microsoft-Windows-Windows Defender/Operational">

<!-- Modern Windows Defender event provider Detection events (1006-1009) and (1116-1119) -->

<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[( (EventID &gt;= 1006 and EventID &lt;= 1009) )]]</Select>

<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[( (EventID &gt;= 1116 and EventID &lt;= 1119) )]]</Select>

</Query>

</QueryList>

Windows for business | Windows Server | Performance | Application technologies and compatibility
Answer accepted by question author
  1. Domic Vo 11,705 Reputation points Independent Advisor
    2025-09-16T21:45:58.7866667+00:00

    Dear Richard,

    Thank you for reaching out regarding the forwarding of Hyper-V specific logs to your Windows Event Collector. We appreciate the detailed XML configuration you provided and your efforts in setting up source-initiated subscriptions.

    While standard logs are forwarding successfully, Hyper-V logs under Applications and Services Logs > Microsoft > Windows > Hyper-V- may require additional configuration. These logs are considered “operational” and sometimes need elevated permissions or explicit log access settings on the source system to be collected properly.

    We recommend verifying that the Windows Event Collector account has sufficient access to these channels and that the Event Log Readers group includes the necessary permissions. Additionally, ensure that the Windows Remote Management (WinRM) service is running and properly configured on the source machine.

    Let me know how it goes, and if this answer helps, feel free to hit “Accept Answer” so others can benefit too 😊 T&B,

    Domic Vo

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.